Thought Leadership

One bad morning

Imagine you’re a successful executive at a large IT company. You’re in charge of security. Your decade-old firm is well established, selling complex, popular IT solutions to large corporations and government bodies. It’s an ordinary Saturday morning, you’re having your coffee and your phone rings. The caller informs you that your company has been subject to a massive cyberattack. Your company’s systems are compromised, and, worse, so are those of your customers. It’s your “nightmare moment”.

This sounds like a movie plot, but it actually happened to a US-based company called SolarWinds in late 2020. In what was one of the largest, most meticulous and most sophisticated cyberattacks in history, operatives inserted a trojan horse (which disguises itself as a harmless file but has malicious code inside) into the update of SolarWind’s Orion software – used by corporations, government entities and other organisations to monitor and manage their own IT systems. Such was the intricacy of the attackers’ method, an expert likened it to a razor blade being secretly inserted into candy just before the package is sealed inside the candy factory – no-one would think anything was amiss.

The software then lay dormant for around two weeks before springing to life, taking control of computers and, in some cases, stealing highly important and sensitive files and disguising the transfers as ordinary network traffic to evade detection – which the hack did successfully for upwards of nine months before being discovered. In the meantime, top-level US Treasury Department emails were accessed, the Justice Department and other federal departments were breached, and prominent institutions around the world including the European Parliament, Britain’s Home Office, Boeing, AstraZeneca, and Los Alamos National Laboratory were all targeted.

The damage caused, both financial and security-related, was extreme – the perpetrators covered their tracks and removed evidence so effectively that the only fix was often to rebuild entire IT systems from the ground up.

Finding a way to measure cybersecurity risk

The SolarWinds attack catapulted cybersecurity issues into the headlines and had IT departments in firms everywhere scrambling to improve their defences. It also caught the attention of The University of Hong Kong’s Roni Michaely; Chris Florackis (University of Liverpool), Christodoulos Louca (Cyprus University of Technology), and Michael Weber (University of Chicago), who were studying how cybersecurity risks affect the value of companies. The news galvanised their work and eventually led to the publication of their paper, titled: “Cybersecurity Risk” in the prestigious Review of Financial Studies journal.

Michaely et al. sought to achieve two aims: Propose a way to measure cybersecurity risk for all listed companies in the US; and to see if cybersecurity risk is priced into the companies’ stock returns.

Their measurement was built on two ideas: the first being that firms hit by cyberattacks had actually been more vulnerable to these attacks before the event and that they had expressed this heightened risk in their corporate disclosures. The second was that firms with similar levels of cybersecurity risk will describe these risks in similar ways.

The team devised a web-crawling algorithm that extracted text relating to cybersecurity risks in firms’ 10-K forms from 2007 to 2018. Filed every year by publicly-traded companies in the US, 10-Ks are more than mere forms – they are complicated, comprehensive reports that provide an overview of a business, its risk factors, selected financial data, discussion and analysis by management of the company’s results, as well as financial statements and other data.

They then identified firms that were subject to a major cyberattack to create a training sample. By scanning both cybersecurity risk disclosures and news reports, they found 69 major cyberattacks that had occurred between 2005 and 2018. By comparing the wording in the relevant parts of the 10-K risk disclosure section of the attacked firms with those of all other firms, they concluded that “firms that use similar words to describe their risk exposure and exposure management exhibit similar levels of cybersecurity risk”.

Here was the cybersecurity risk measure: The higher the measured similarity in cybersecurity risk disclosures made by firms, the greater their general exposure to cybersecurity risk. Firms with high scores tended to extensively discuss risk in their 10-K forms – revealing previous cyberattacks or attempts, or admitting to the difficulties involved in defending against these risks – while firms with low scores either believed that their preventative measures had mitigated cybersecurity risks, or did not even include a separate cybersecurity section in their 10-Ks.

Validating the findings

The team validated their findings in several ways. They found that firms with higher scores provided “lengthier and more comprehensive cybersecurity risk disclosures in their 10-Ks, discuss[ed] legal consequences associated with cybersecurity risk, use[d] more precise language, and use[d] more negative words in their discussions, which potentially lowers their exposure to litigation risk”. These high-scoring firms also actively managed their risk exposure by taking action like purchasing cyber insurance policies.

Most directly, the risk measure was validated by the fact that firms with higher cybersecurity risk scores were more likely to experience a future cyberattack. They found that “a one-standard-deviation increase in [their] cybersecurity risk score increases the probability of a future cyberattack by 92.70%”, adding that “This predictability is reassuring and provides direct evidence that our measure reliably captures firms’ exposure to cybersecurity risk.”

Essentially, the more that firms are concerned about and disclose cybersecurity risks, the more at risk they are – meaning their measure can actually predict cyberattacks!

Are cybersecurity risks priced into stocks?

In the second part of their paper, the team used the measure to examine whether cybersecurity is priced in to stock returns; theorising that the higher a firm’s exposure to cyberattacks, the greater the return expected by investors.

To determine this, they sorted stocks into portfolios based on their cybersecurity risk scores and then tracked their returns over time. They found that a portfolio that held on to stocks in firms with higher cybersecurity risk and sold stocks with a low such risk earned an excess return of over 8% per year. After checking these results by sorting them in numerous other ways – including by firm size, book-to-market ratio, profitability, institutional ownership, illiquidity, idiosyncratic volatility, risk section length, and 10-K readability – they determined that this excess return remained valid.

After running yet more statistical tests, a strong positive relationship between cybersecurity risk and stock returns was not only found, but determined to predict stock returns up to a year into the future. Finally, they executed an economic significance test – if risk is truly priced into stock returns, they theorised, then “high cybersecurity risk stocks should perform poorly and significantly worse than low cybersecurity risk stocks on the days when cybersecurity risk concerns materialize”.

They sorted stocks into groups based on market value, then into groups based on their risk measure; and then calculated daily returns mimicking a cybersecurity risk factor from 2008-2019. Using daily search volume index data from Google Trends, they identified days when there was increasing attention to cybersecurity risk by looking at spikes in the use of words like “hacker” and “data breach”. After a lot of regression analysis, they determined with confidence that according to this model, firms with high cybersecurity risk generally earn high returns, but “perform poorly on days with heightened concerns about cybersecurity” – this shows without a doubt that cybersecurity risk is priced into returns – thus compensating investors for their elevated level of risk.

Helping thwart future attacks

Concluding with a flourish, Michaely and his partners used the SolarWinds hack to provide additional evidence for both parts of their paper. They found that firms with higher forecast cybersecurity risk scores saw negative returns around the time of the SolarWinds incident; they also found that the cybersecurity risk measure they devised was positively associated with the probability of being in the group of firms affected by the attack – i.e. those that the measure identified as having a higher cybersecurity risk beforehand were more likely to have been hacked.

Their work has opened a number of doors to new research into the very real and very worrying field of cyberattacks. A highly non-scientific glance at today’s headlines reveals recent attacks across the world: Indigo Books & Music in Canada was hit in early February 2023, knocking their website and payment methods offline. The Indonesian unit of Australia’s Commonwealth Bank just experienced “unauthorised access of a web-based software application used for project management”, while cyberattacks have crippled a major hospital in Barcelona, Spain, an Israeli university and Northern Essex Community College near Boston. Horrifically, hackers also appear to have distributed photos of cancer patients undergoing treatment. These were stolen from a Pennsylvania health group in a ransomware attack, in which hackers steal sensitive photos or files and threaten to publish them unless they are paid.

Truly a “nightmare scenario” for companies and society at large.

Michaely et al.’s cybersecurity risk measure and its underlying methodology will help enable the systematic analysis of cybersecurity risk and its implications for firms in terms of their value, corporate policies and operations. In turn this will help boost cyber-defences around the planet and make the online world a little safer for all of us.

About this Research

Chris Florackis, Christodoulos Louca, Roni Michaely and Michael Weber. Cybersecurity Risk, The Review of Financial Studies, Volume 36, Issue 1, January 2023, Pages 351–407

Read the original article

References

Brown, L., (March 8, 2023). ‘Russian hackers post nude photos of US cancer patients to dark web in sick extortion plot’. New York Post. https://nypost.com/2023/03/08/russian-hackers-post-nude-photos-of-us-cancer-patients-to-dark-web/

Fama, E. F., and J. D. MacBeth. 1973. Risk, return, and equilibrium: Empirical tests. Journal of Political Economy 81:607–36.

Florackis, C., Louca, C., Michaely, R., and M. Weber. 2023. Cybersecurity risk. The Review of Financial Studies, 36(1), 351-407.

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims with SUNBURST Backdoor. Fireeye (December 13, 2020). Retrieved March 8, 2023 from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Hvistendahl, M., Lee, M., Smith, J., (December 17, 2020). ‘Russian Hackers Have Been Inside Austin City Network for Months’. The Intercept. https://theintercept.com/2020/12/17/russia-hack-austin-texas/

Kenton, W., (April 18, 2022). 10-K: ‘Definition, What’s Included, Instructions, and Where to Find it’. Investopedia. https://www.investopedia.com/terms/1/10-k.asp

Loughran, T., and B. McDonald. 2011. When is a liability not a liability? Textual analysis, dictionaries, and 10-Ks. Journal of Finance 66:35–65.

One month after cyberattack hit, what’s next for Indigo?. CTV News (March 8, 2023). Retrieved March 8, 2023 from https://www.ctvnews.ca/business/one-month-after-cyberattack-hit-what-s-next-for-indigo-1.6303819

Schwartz, S., (October 26, 2021). ‘A conversation with SolarWinds’ CISO. Cybersecurity Dive.  https://www.cybersecuritydive.com/news/solarwinds-ciso-tim-brown-leadership/608847/

Temple-Raston, D., (April 16, 2021). ‘A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack’. NPR. https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Timberg, C. and Nakashima, N., (December 14, 2020). ‘Russian hack was ‘classic espionage’ with stealthy, targeted tactics’. The Washington Post. https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/